On 06/22/2013 03:02 PM, Brian Wolff wrote:
On 2013-06-22 6:49 PM, "Thehelpfulone" thehelpfulonewiki@gmail.com wrote:
On 22 June 2013 22:33, Alex Monk krenair@gmail.com wrote:
I've just found out that WMF's Bugmeister Andre Klapper removed "nearly everyone"'s Bugzilla adminship (and people with root access on the
servers
now have access to a file which contains login details for an 'emergency admin' account).
Details: https://wikitech.wikimedia.org/wiki/Bugzilla.wikimedia.org#How_to_log_in_as_...
So I have some questions:
This wasn't a sudden removal - Andre discussed it with ops and emailed *every* admin first, so it's far less dramatic than you may think. He's also been working on https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy, which I believe has approval from the relevant people (I'm can't think who that is off the top of my head).
Be that as it may, it still would have been nice for this to be publically discussed (or at least publically announced) especially given the current political controversies surounding rights removals from wmf services.
-bawolff
Thehelpfulone, thanks for the quick response here.
Andre and I have both been traveling today, and I think he might still be traveling for the next day or so, so I want to say what I know as we wait for something more definitive from Andre.
Andre mentioned the plans and linked to the draft guidelines in the April engineering report https://blog.wikimedia.org/2013/05/02/wikimedia-engineering-april-2013-repor... , and mentioned the reduction in the number of Bugzilla administrators in the May report https://blog.wikimedia.org/2013/06/10/wikimedia-engineering-may-2013-report/ , and I'm sorry you didn't see those. What can we do to ensure that more people see those updates? Regardless, perhaps we should have advertised the change more broadly.
I know Andre reached out to every existing Bugzilla admin, to WMF Operations, and to the WMF legal department during this process; I believe that he's just finalized the policy https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy with Legal late last week per https://www.mediawiki.org/wiki/Bug_management/status#2013-06-14 , and he's been at a conference all this week. Once it was finalized we should have communicated it more widely; this coming week I'll consult with Guillaume and Andre to make sure that happens.
Tyler wrote:
I'd also like to know this information. Being a Bugzilla admin and helping out with the bug workflow and security issues and whatnot has always been something I've wanted to do. But if the WMF is trying to consolidate for some reason...
One thing Andre did when reaching out to current administrators was to figure out what sorts of work they did and wanted to do, so as to properly use *groups* rather than simply giving out admin access for all those reasons. Chris Steipp wrote, "Giving users a special-purpose group instead of administrator supports w:Least_privilege, which is a good thing." ( https://www.mediawiki.org/wiki/User_talk:AKlapper_%28WMF%29/BugzillaAdminPol... )
My understanding is that approximately everyone who had their admin access removed simply got membership in groups to do the things they wanted to do, e.g., create new products, components, milestones, etc. For instance, James Forrester went from BZ admin to having pretty much all rights except BZ admin (edit users, products, components, milestones, and see security bugs). I am no longer a BZ admin since the reduction, so I don't know who's got what privileges, but I know it's not just Foundation staff. For some more details on what kinds of tasks require (or might require) Bugzilla admin rights, see https://wikimediafoundation.org/wiki/Bugzilla_administrator_rights_policy#Ta... and http://blogs.gnome.org/aklapper/2013/05/28/understanding-bugzilla-groups-and... . Basically, people can do administrative stuff without being BZ administrators.
We're definitely interested in helping people help Wikimedia on bug workflow and security issues! It would be necessary for you to sign a nondisclosure agreement to access security bugs or to get BZ admin access to edit the workflow, I believe (from my reading of the policy). But Andre would know more. Andre?